Here’s some good news for anyone who has been struck by auto-running malware from a USB stick in the past.

Microsoft has rolled-out an “important, non-security update” through Windows Update, changing the behaviour of Autorun when you plug a USB stick into your computer.

Not sure what Autorun is? It’s the technology which causes a program to start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

It may sound like a neat idea, but a lot of malware (The Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past.

The more recent versions of Windows, like Windows Vista and Windows 7, have made changes to the way that Autorun operates and this has helped fight the spread of Autorun malware. But older versions of Windows, such as Windows XP, were still often at risk.

In fact, in a blog post published yesterday, Microsoft’s Holly Stewart presented statistics which suggested that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.”

Note, however, that this isn’t the death of Autorun entirely. As Microsoft’s Adam Shostack explains on the MSRC blog, Autorun is still available for “shiny media” such as CDs and DVDs.

Hmm. I guess that will be welcome news for any misguided company which tries to emulate Sony’s disastrous scheme from 2005 where music CDs automatically installed a rootkit as part of their DRM copy protection.

All in all, though, Microsoft has done a good thing here. Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that we can make.

Post navigation

About the author

Graham Cluley runs his own award-winning computer security blog at https://www.grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances, co-hosts the weekly "Smashing Security" podcast, and is an international public speaker. Follow him on Twitter at @gcluley

13 comments on “Microsoft says ‘Good riddance’ to USB Autorun”

as vesselin pointed out to me some years ago (complete with microsoft documentation) autorun didn't automatically launch programs when inserting a standard flash memory drive into the USB port (CDs, DVDs, and U3 capable flash drives are a different matter). they can automatically launch programs when you double click on the drive in windows explorer, however.

I've never been able to remember which was AutoPlay and which was AutoRun.

IIRC, it was the defunct AutoPlay which launched apps directly and silently, whilst AutoRun is the name for the feature pops up a menu in which the default option can be overriden by the AUTORUN.INF file, and in which the text and icon displayed for that default option is also controlled by potentially hostile metadata on the USB key.

So although it doesn't exactly force a program to run, it takes you soooo close – and lets you make that default choice look soooo innocent that it might as well do so.

i humbly submit that if autoplay automatically runs things, and autorun pops up a dialog that lets you play audio/video/whatever from the removable storage medium, then the names are completely backwards.

I’m not a big fan of Autorun on ANY removable media. I’m perfectly capable of launching software, where ever it is located, at the time that I want to launch it. I’m also perfectly capable of launching the appropriate readers/viewers/players and reading/viewing/playing the desired files.

Of course, I also recognize that not everyone (indeed, very few) have my level of computer knowledge, and they depend on these shortcuts to aid them in their computer’s operation. I surmise that this action will afford very little advantage to those people…they’re the ones who will, for example, click on anything on FaceBook. Not knowing there is malware on the USB stick, they’ll just give it permission to run and get infected anyway.

You can bet the malware writers know this. I seriously doubt that this will have any great impact on the problem.

Thanks Sean. When I tested it I was able to install it as an optional update on my Windows machines – so PC Mag is right that you have to dig around a little to ensure that you have installed it on your computer.

Autorun is not a useful feature and never was. It was just a shiny gadget which purpose was to demonstrate how "cool" a system is, so it even runs programs automatically off an inserted disc/USB stick.
One of the very first thing experienced Windows users do is to turn the autorun off. On the other hand, I have heard much too many complaints of inexperienced users who don't know how to turn the feature off, that it's messing with their usage of the computer by running things they don't want whenever they insert a CD.
There's nothing difficult in navigating to the drive icon in the Explorer windows and double-clicking on "install" or something similar if you *actually want* to run the program off the disc. There's no need for any automation here. And it's actually a bad idea, because the computer doesn't know what do you want to do with the media you just inserted.

its a good start, but i imagine most malware and spyware attacks are internet based. The insert popup really only needs to give the option to 'open the folder to view files' since there is a 9/10 chance that is the users next action after plugging in a memory card.